F7 mls enforcing failed login and recursive fault

Stephen Smalley sds at tycho.nsa.gov
Wed Aug 22 11:57:40 UTC 2007


On Tue, 2007-08-21 at 19:19 -0500, Joe Nall wrote:
> I built and fully updated a F7/MLS system today and was unable to  
> login in MLS enforcing from the console or ssh (no X, init level 2 or  
> 3). I rebooted with a clean audit.log in permissive mode, logged in  
> and found two login related denials
> 
> type=AVC msg=audit(1187740851.272:22): avc:  denied   
> { audit_control } for  pid=2299 comm="login" capability=30  
> scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023  
> tcontext=system_u:system_r:local_login_t:s0-s15:c0.c1023  
> tclass=capability

Hmmm...why does the Fedora policy differ from refpolicy in its
audit-related permissions and interfaces?

> and a second dbus related one that I was unable to replicate for this  
> email
> 
> I created a quick policy to see if I could log in in enforcing mode.
> 
> policy_module(f7fix,1.0.0)
> 
> gen_require(`
>          type local_login_t, initrc_t;
>          class dbus send_msg;
> ')
> 
> allow local_login_t initrc_t:dbus send_msg;
> allow local_login_t self:capability audit_control;

Should really be using a refpolicy interface if one exists to grant
these kinds of permissions.  Sadly, audit2allow -R doesn't seem to turn
anything up here for the avc above.

> and got this nasty result
> 
> Aug 21 18:19:12 f7 kernel: ds: 007b   es: 007b   fs: 00d8  gs: 0000   
> ss: 0068
> Aug 21 18:19:12 f7 kernel: Process login (pid: 2310, ti=f7f98000  
> task=f70de2b0 task.ti=f7f98000)
> Aug 21 18:19:12 f7 kernel: Stack: c06ab7d9 fffffff3 00000000 c06f27ac  
> fffffff3 fffffff3 00000000 c04ad93d
> Aug 21 18:19:12 f7 kernel:        c06f27a0 f77b8878 c04ad987 f77b8800  
> f77b8800 f77b8878 c0555fae f7c8df00
> Aug 21 18:19:12 f7 kernel:        c05509ee f77b8800 f773e938 00000000  
> 00000000 c0550a20 f70aa800 c053660d
> Aug 21 18:19:12 f7 kernel: Call Trace:
> Aug 21 18:19:12 f7 kernel:  [<c04ad93d>] remove_files+0x15/0x1e
> Aug 21 18:19:12 f7 kernel:  [<c04ad987>] sysfs_remove_group+0x41/0x57
> Aug 21 18:19:12 f7 kernel:  [<c0555fae>] device_pm_remove+0x32/0x70
> Aug 21 18:19:12 f7 kernel:  [<c05509ee>] device_del+0x183/0x1ad
> Aug 21 18:19:12 f7 kernel:  [<c0550a20>] device_unregister+0x8/0x10
> Aug 21 18:19:12 f7 kernel:  [<c053660d>] vcs_remove_sysfs+0x17/0x31
> Aug 21 18:19:12 f7 kernel:  [<c053b24a>] con_close+0x49/0x5b
> Aug 21 18:19:12 f7 kernel:  [<c052fec7>] release_dev+0x1df/0x5e3
> Aug 21 18:19:12 f7 kernel:  [<c045d35e>] free_pages_bulk+0x100/0x16e
> Aug 21 18:19:12 f7 kernel:  [<c045d585>] __pagevec_free+0x14/0x1a
> Aug 21 18:19:12 f7 kernel:  [<c045f7a5>] release_pages+0x10a/0x112
> Aug 21 18:19:12 f7 kernel:  [<c05302da>] tty_release+0xf/0x18
> Aug 21 18:19:12 f7 kernel:  [<c04765eb>] __fput+0xb4/0x16a
> Aug 21 18:19:12 f7 kernel:  [<c04740f9>] filp_close+0x51/0x58
> Aug 21 18:19:12 f7 kernel:  [<c0428683>] put_files_struct+0x5f/0xa7
> Aug 21 18:19:12 f7 kernel:  [<c04296be>] do_exit+0x21f/0x6d3
> Aug 21 18:19:12 f7 kernel:  [<c0429bdf>] sys_exit_group+0x0/0xd
> Aug 21 18:19:12 f7 kernel:  [<c0404f70>] syscall_call+0x7/0xb
> Aug 21 18:19:12 f7 kernel:  [<c0600000>] __sched_text_start+0x6e8/0x89e
> Aug 21 18:19:12 f7 kernel:  =======================
> Aug 21 18:19:12 f7 kernel: Code: 8b 40 24 8b 40 24 c3 8b 40 14 8b 00  
> c3 8b 40 14 8b 00 c3 55 57 56 53 83 ec 0c 85 c0 89 44 24 04 89 14 24  
> 0f 84 ed 00 00 00 89 c2 <8b> 40 0c 85 c0 0f 84 e0 00 00 00 8b 52 54  
> 83 c0 74 89 54 24 08
> Aug 21 18:19:12 f7 kernel: EIP: [<c04ab620>] sysfs_hash_and_remove 
> +0x18/0x110 SS:ESP 0068:f7f98e04
> Aug 21 18:19:12 f7 kernel: Fixing recursive fault but reboot is needed!

That should have shown up as a denial on sysfs_t unless it was
dontaudit'd.  sysfs code had a bug where it wasn't checking for failure
on a lookup, triggerable upon SELinux permission denial.  Already fixed
in the mainline kernel as of 2.6.23-rc1 and later I believe.

> 
> potentially relevant rpm versions
> 
> kernel-2.6.21-1.3194.fc7
> audit-1.5.3-1.fc7
> util-linux-2.13-0.52.fc7
> checkpolicy-2.0.3-1.fc7
> policycoreutils-2.0.16-11.fc7
> policycoreutils-gui-2.0.16-11.fc7
> policycoreutils-newrole-2.0.16-11.fc7
> seedit-policy-2.1.1-2.fc7.2
> selinux-policy-2.6.4-33.fc7
> selinux-policy-devel-2.6.4-33.fc7
> selinux-policy-mls-2.6.4-33.fc7
> selinux-policy-targeted-2.6.4-33.fc7
> 
> joe
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- 
Stephen Smalley
National Security Agency




More information about the fedora-selinux-list mailing list